Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to extract value from end of line

lalbsah
Engager
‎05-14-2012 07:35 AM

I have below log format and I want to get value of getTaskHistoryList(in this case it is 33 but this may get changed).
Trace: 2012/05/10 19:32:39.047 01 t=9AF4F8 c=UNK key=P8 (0000000A) Description: Log Java Message Message: Time taken for getTaskHistoryList 33

How to extract only getTaskHistoryList value and create chart out of these values?

Tags (1)
Reply

dwaddle
SplunkTrust
SplunkTrust
‎05-14-2012 07:40 AM

Well, given the one example event, one might try

... | rex "getTaskHistoryList (?<field_name>\d+)$"

However, a more thorough regex might be:

... | rex "Message: Time take for (?<operation>[^\s]+) (?<time_taken>\d+)$"

These are not particularly complicated regular expressions. If you are not already familiar, I would recommend studying how regular expressions work in general - there is a good website, http://www.regular-expressions.info/, and O'Reilly has an excellent (if a little aged) paperback book on the subject, http://shop.oreilly.com/product/9780596528126.do

Also, you should study up on how Splunk uses regular expressions for field extraction. http://docs.splunk.com/Documentation/Splunk/4.3/Knowledge/Aboutfields is as good of a place as any to start.

Reply
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...